Firefox ESR/Duo: Not reporting minor version in user agent
We use ESR due to its stability and long term security updates, and we use Duo as our SSO/IDP.
We have Duo set to deny login when the browser is more than 6 mo out of date, but due to the way FF reports only the main version number via the user agent Duo is unable to determine that FF ESR is actually up to date and thinks that it's too old and my users are being denied login or getting an erroneous message about needing to update their browser.
Is there a way to set FF to report it's whole version to Duo? We would prefer not to have to "outlaw" FF in our prod environment if at all possible.
All Replies (8)
The Firefox useragent has not shown the minor updates since Firefox 16.0.1 as Mozilla has been making the Firefox useragent have less of a fingerprint over the years.
"FIXED User Agent strings for pre-release Firefox versions now show only major version (728831)"Though the updated subject for the Bug changed to "Don't expose the Firefox patch level (13.X.Y) in the UA string, only show the major version (13.X)"
Another case of this is with Firefox on macOS where it shows macOS 10.15 in Firefox UA even if the user has a later macOS version which is what you basically see with Firefox 116.0 or later. Fx 116.0 or later requires macOS 10.15 or later to run.
Unless Mozilla extends support, the older Firefox 115 ESR channel is coming to an end in support with Fx 115.15.0esr being the last planned update in early September. Fx 128 ESR will then be the only supported ESR as the next ESR will not be until Firefox 140.0 release.
Modified
Thanks James, I completely understand the timeline for the ESR releases, we are pusing 128 now.
With regards to the user agent string, I completely get why this is a good move for consumers, but hopefully you can see how this undermines the security that some orgs are trying to build into their production environments. Duo is a popular product, so we can't be the only ones with this issue. We want users to use multi factor auth, but also run the latest version of their chosen browser and one that is supported and stable. As it stands now, Duo pretty much cannot work with FF unless we significantly weaken our security posture and increase our attack surface by allowing browsers to be more than a year out of date, or switching to the rapid release version of FF and sacrifice stability and possibly security.
Mozilla could fix this by allow admins the ability to set the user agent string options, preferably on a site bases. That way we could push a profile that sets FF to report it's full version and MacOS version to only Duo. I looked through the list of enterprise options we can manage, and it looks like there is nothing for the user agent string.
I guess if Mozilla has no interest in enterprise use of FF, then they can disregard this, but I really hope this is not the case. For now we may have to tell our uses that FF is not an approved browser for our environment, unless someone on here has a work around we can use to tweak the user agent string?
Modified
Can't you allow all user agents in Duo? Or is there possibility to add UAs in the "Permit only certain user agents" option?
I raised this with Duo support, and their response indicated that since FF does not expose the entire version in the user Agent string, there was nothing they could do about it.
The policy for this, as near as I can tell, is all or nothing, either I limit all browsers, or none, though I can exclude access for specific browsers, but it's not granular enough to set FF to a longer period of checking that other browsers.
I'm confused by this because technically 115 is more than a year out of date per Duos standards, and they haven't blocked.
We use Duo at Mozilla and this has not come up.
Why do you have Duo "set to deny login when the browser is more than 6 mo out of date" if you are using the ESR?
As far as Duo goes, they could simply exclude the known ESRs from their version checks.
115 is a year out of date, and yes, our policy completely blocked it and you cannot login to Duo in that version of FF with our Duo setup. 128 allows login, but it warns that there are only 4 more months before this will be denied completely as well. 140 is more than 4 months away, so we'll be out of luck with FF.
"Why do you have Duo "set to deny login when the browser is more than 6 mo out of date" if you are using the ESR?"
Because we have to worry about more than just FF. Chrome, Edge and Safari are used heavily in our environment, and we want to limit them to only more recent versions. I really do not think it's unreasonable to limit people to a more recent version in order to make sure that their browser is less of a vector for attack. We want to force our users to update their browsers, and this is a great carrot for that, if we can get working.
I really wish that Duo's policies were that fine grained, but unless I am missing something, they just aren't (I've added this question to my ticket with them about this). And what I can set applies to ALL browsers, not just Firefox. So if I weaken it for FF, then I weaken it for all other browsers, so what may not seem like a big deal since we run FF ESR, could be a major issue for Safari or Chrome.
If you use Duo and Mozilla, and have not run into this, then either you are not controlling for browser versions in your policy, or I have really missed something vital (though I doubt this) and I would love to know how you have it setup. If it's the former, then you could use any version of FF to login, all the way to the first version, which open you up to attack and circumvention of 2FA etc. Perhaps not a big risk, but bigger than we'd like in our prod environment.
Yeah, come to find out we don't use the browser version.
Even if we added the minor version, it wouldn't solve this, because Duo would still have to update their checks to handle the minor version, and if they are going to do that, they might as well just exclude our ESR versions completely from their checks.
The odds that someone is on 115 and is NOT on the ESR is pretty slim.